<html xmlns:th="http://www.thymeleaf.org">

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_intro.adoc"></div>
</div>

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_login.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
              action="/WebGoat/IDOR/login"
              enctype="application/json;charset=UTF-8">
            <table>
                <tr>
                    <td>user/pass</td>
                    <td>user:<input name="username" value="" type="TEXT" /></td>
                    <td>pass:<input name="password" value="" type="password" /></td>
                    <td>
                        <input
                            name="submit" value="Submit" type="SUBMIT"/>
                    </td>
                </tr>
            </table>
        </form>
        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>
</div>

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_viewDiffs.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="GET" name="form"
              action="/WebGoat/IDOR/profile"
              enctype="application/json;charset=UTF-8">
            <script th:src="@{/lesson_js/idor.js}" />

            <input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />

        </form>
        <div id="idor-profile"></div>
        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>

    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
        <div class="adoc-content" th:replace="doc:IDOR_whatDiffs.adoc"></div>
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form"
              method="POST" name="diff-form"
              action="IDOR/diff-attributes"
              enctype="application/json;charset=UTF-8">
            <input name="attributes" type="text" />
            <input name="Submit Diffs" value="Submit Diffs" type="submit" />
        </form>

        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>
</div>

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_viewOwnAltPath.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
              action="/WebGoat/IDOR/profile/alt-path"
              enctype="application/json;charset=UTF-8">
            <div class="adoc-content" th:replace="doc:IDOR_inputAltPath.adoc"></div>
            <input name="url" value="WebGoat/" type="text"/>
            <input name="submit" value="Submit" type="SUBMIT"/>
        </form>
        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>
</div>

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
              method="GET" name="view-other-profile"
              action="/WebGoat/IDOR/profile/{userId}"
              enctype="application/json;charset=UTF-8">
            <script th:src="@{/lesson_js/idor.js}" />

            <input name="View Profile" value="View Profile" type="submit" />

        </form>

        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>

    <div class="adoc-content" th:replace="doc:IDOR_editOtherProfile.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
              method="GET" name="edit-other-profile"
              action="/WebGoat/IDOR/profile/{userId}"
              enctype="application/json;charset=UTF-8">
            <script th:src="@{/lesson_js/idor.js}" />

            <input name="View Profile" value="View Profile" type="submit" />

        </form>
        <!-- do not remove the two following div's, this is where your feedback/output will land -->
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>

</div>

<div class="lesson-page-wrapper">
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:IDOR_mitigation.adoc"></div>
</div>

</html>
